Docker安装与加固指南

安装docker

https://docs.docker.com/engine/install

以非root用户身份管理docker

https://docs.docker.com/engine/install/linux-postinstall

为docker启用Linux user namespace

https://docs.docker.com/engine/security/userns-remap https://medium.com/@kasunmaduraeng/docker-namespace-and-cgroups-dece27c209c7

# Create a user called "dremap"
sudo adduser --no-create-home --disabled-password --disabled-login dremap
# Setup subuid and subgid
sudo sh -c 'echo dremap:400000:65536 > /etc/subuid'
sudo sh -c 'echo dremap:400000:65536 > /etc/subgid'
sudo vim /etc/docker/daemon.json 
{
 "userns-remap": "dremap"
}
# Restart Docker
sudo systemctl restart docker

# Test 输出如下成功
docker run -d --rm ubuntu sleep 100
ps -ef|grep sleep
#out: 400000      4981    4961  2 14:40 ?        00:00:00 sleep 100
sudo ls /var/lib/docker/400000.400000
#out: buildkit  containers  engine-id  image  network  overlay2  plugins  runtimes  swarm  tmp  volumes

安装gVisor启用沙箱隔离

https://gvisor.dev/docs/user_guide/install/

安装gVisor

(
  set -e
  ARCH=$(uname -m)
  URL=https://storage.googleapis.com/gvisor/releases/release/latest/${ARCH}
  wget ${URL}/runsc ${URL}/runsc.sha512 \
    ${URL}/containerd-shim-runsc-v1 ${URL}/containerd-shim-runsc-v1.sha512
  sha512sum -c runsc.sha512 \
    -c containerd-shim-runsc-v1.sha512
  rm -f *.sha512
  chmod a+rx runsc containerd-shim-runsc-v1
  sudo mv runsc containerd-shim-runsc-v1 /usr/local/bin
)

为docker启用

sudo /usr/local/bin/runsc install
sudo systemctl reload docker
docker run --rm --runtime=runsc hello-world
# 如果docker启用了命名空间, 这一步需要添加--userns host参数
docker run --rm --userns host --runtime=runsc hello-world

禁用网络隔离

默认runsc会将容器网络隔离, 导致无法使不同的容器互通, 在/etc/docker/daemon.json添加如下内容禁用网络隔离

{
    "runtimes": {
        "runsc": {
            "path": "/usr/local/bin/runsc",
            "runtimeArgs": [
                "--network=host"
            ]
       }
    }
}

sudo systemctl reload docker